I am being asked to perform a forensics investigation on a network.
The reason being that for the past few months strange things are happening on the network. VLANs are being deleted, configuration changes are being made, and all sorts of modifications are occurring on the network devices. IT ranges from the Firewalls, through the SSL VPN device and all up to the switches. The system administrators are feeling like they are being toyed with, and I was asked to see if I can find anything (this hasn't been labeled a real "forensics investigation" since I am no forensics investigator, but was simply asked to give me best effort on this).

The question is, how do I go about it?
Does it all just come up to collecting the logs and looking for events around the time that the company felt the changes?
Is there any basic methodology "for-dummies"?
Is this sort of investigation an easy task or is it tedious and boring, time-consuming effort?

4 Answers
4

To paraphrase the question: how do I go about performing forensics with no prior experience?

You don't. Seriously. There are dummies books available that will touch on the basics and there are a number of websites that will walk you through common situations but to perform any defensible forensic analysis you will need the proper training and documentation.

To the point of 'this hasn't been labeled a real "forensics investigation"'; maybe it hasn't, but it could and there is a very real possibility that you could alter evidential data in your analysis. Should this become a 'real' investigation you might find yourself in a bad situation.

-IF- you get it in writing that this is not ever ever ever going to move toward a legal issue, with complete indemnity for you, then grab a copy of Computer Forensics for Dummies and have a ball.

+1: You're in dangerous territory here: the semantics of what is real investigation / evidence have not really been addressed - even if this investigation does not go outside your company there can be very damaging consequences for aynone you point the finger at. And bear in mind that the first thing you should learn about forensics is that you can't rely on any information you retrieve from a machine believed to be compromised (logs etc might provide hints - but there's always the possibilty they've been tampered with unless you have a SIEM designed to address this).
–
symcbeanMar 6 '13 at 12:43

A forensic investigation involves preserving data for future law enforcement, it doesn't sound like you are being asked to do that, rather it sounds like you are being asked to investigate and remediate security issues on your network that are causing problems. That's just an plain old review. If they do expect you to perform a genuine forensic investigation then tell them no, you aren't equipped for it and you could get into trouble if you do it wrong.

As for what it will entail and how long it will take, these cannot be answered as there are too many dependencies. Whether you can accomplish it at all depends on whether your company is actually capturing the data you need.

get a list of events: when do people think that these strange occurrences happened? What else was happening at the time? Can the strange happenings be linked? For instance, did someone leave the company about the time odd things started happening?

enlist the assistance of technical specialists to help you sort through it all. Use them to detail what may have caused the issues. If you don't have a background in the technologies then you will need their help, and it is in their best interests to help you sort out the issues. Get them to translate technical possibilities to actionable queries you can use to search your data sources for clues

Map possibilities to data sources and times: simply looking at logs about the time "things started happening" is unlikely to bear fruit, you need to know what you are looking for. Use the queries your technical specialists developed to focus the search

Let me help you if i was in your shoes I would go ask the network device administrators about the recent changes and demands review of access control and password management procedures. What symptoms you are entaling is quiet normal considering the pace and operations of an organization. You don't need forensics unless your boxes have been owned by a intelligent worm which is practically absent in current attack vectors against top line network devces unless we are talking about chinese made stuff zte or huwaei for that matter.

If you want quick win put a good ids box infront of core fw let it see all the traffic if it pick something relate this with your attack symptoms.

The best thing you can do is to obtain a list of all privileged users from each network device. Validate that list with the head of Network Operations, or whoever is in charge of the Network. Finally, force a password change for all accounts, including built-in administrative accounts.